Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Got Spammed from a contact form
Got Spammed from a contact form
  • El Forum
    Guest
  •  
#11
09-26-2008, 07:10 AM

[eluser]Référencement Google[/eluser]
So, here is what I have done:

In the form, I have added an hidden field (this form doesn't requires a country thing, so I am sure that if it was filled that isn't normal) :

Code:
<?php echo form_hidden('country'); ?>

Then I have done that in the controller (after validation passed):

Code:
// If the country value is set, this means a spambot possibly owns the form
            if($this->input->post('country'))
            {
                // Latest chance for this bot, if the mail domain is valid, we will accept him, else we reject
                $parts = explode("@", $this->input->post('email'));

                if(checkdnsrr($parts[1], "MX"))
                {
                    // Ok, maybe that wasn't a bot...
                    return TRUE;
                }
                else
                {
                    // No no, really I don't trust you, YOU ARE A BOT YEAH?
                    $this->validation->error_string = "<h1>Une erreur anormale s'est produite !</h1>
                    <p>Vous ne pouvez pas utiliser ce formulaire.<br />
                    Veuillez nous contacter par téléphone.</p>";

                    return FALSE;
                }
            }

Code explaination:
If the Country was posted, that means there is something not normal like a spambot, but in doubt I check for a valid email DNS because if it's a bot, most of time the domain is a fake or a random invalid generated one.

It's not a 100% reliable code as the domain checking is often not allowed from servers, but that was really an additional check in doubt that wasn't a bot.

This code also don't protect me if a spambot have a valid DNS adress, but that should be enough to block the one that annoy me from 2 days with 100 spams / day.

Christophe
  • El Forum
    Guest
  •  
#12
09-26-2008, 07:21 AM

[eluser]Bogdan Tanase[/eluser]
I'm not sure a hidden input is the best way. A more advanced bot might parse your form and only attempt to POST the visible inputs. If I were to create a bot, i would post the hidden fields with their generated value (in this case, none).

On the other hand, if you hide it with CSS (maybe put a regular input in a container - a div or smth - and set display:none) as manilodisan said it's far more difficult to parse. In that container you could also put a warning not to complete the field, just in case the user visits the site with a very-very outdated browser that does not support CSS.
  • El Forum
    Guest
  •  
#13
09-26-2008, 07:28 AM

[eluser]Référencement Google[/eluser]
Ok, I will test my code for some time and if I get again spammed I will come back to this post try other solutions.
  • El Forum
    Guest
  •  
#14
09-26-2008, 07:42 AM

[eluser]xwero[/eluser]
I think Lones technique is based on the fact that bots are not going to trigger javascript because they send their forms via a curl request and not via the actual form.

The technique you are using is a mix of Lones and the technique of a for the user hidden honey pot input field because most bots add something to all the input fields. This technique is questionable as screenreaders will see/read the field so you have to give it a name like no_data, i_m_a_bot so that screenreader users know it's a honey pot field.

If i were a bot coder i would search for the required fields of the form an only add data to those fields, this breaks the honey pot field technique. But as long as the honey pot field technique works i would create an array of fieldnames and randomize the honey pot fieldname. it will have a class with a name that is not recognizable as a class to hide the input.

Most contact forms i make have bot control by letting the users do a simple sum based on the values that are stored in a session variable.
  • El Forum
    Guest
  •  
#15
09-26-2008, 07:53 AM

[eluser]Yash[/eluser]
I like most create a div place input and make div display:none, ..I will implement this in my apps.

Thank you guys for such good discussion.
  • El Forum
    Guest
  •  
#16
09-26-2008, 08:04 AM

[eluser]Référencement Google[/eluser]
F*****, just received another spamming session.... my code didn't worked.
  • El Forum
    Guest
  •  
#17
09-26-2008, 08:12 AM

[eluser]Dready[/eluser]
better try with the trick from manilodisan : in short :

css file
Code:
someclass {
  display:none;
}

your form :
Code:
&lt;form ...&gt;
&lt;input type="text" name="firstname"&gt;
&lt;input type="text" name="botitbaby" class="someclass"&gt;
&lt;input type="text" name="lastname"&gt;
...
&lt;/form&gt;

and PHP:
Code:
if ( strlen($_POST['botitbaby']) ) {
   echo "It's a F********* BOT";
}
  • El Forum
    Guest
  •  
#18
09-26-2008, 08:40 AM

[eluser]HdotNET[/eluser]
Most bots harvest your form and post to it remotely. You can do checks on referrer etc, but these can be spoofed. I've been using this for years:

Code:
&lt;input type="hidden" name="HASHCODE" value="1" /&gt;

HASHCODE is created as follows:

Code:
$hashcode = md5(date('Y-m-d').'some_string');

After post just look for

Code:
$_POST[md5(date('Y-m-d').'some_string')];

This way, any harvested form will only work for a maximum of 24 hours.

The downside is that if a visitor loads the form at 23:59 and posts it at 01:01 then it will fail.
  • El Forum
    Guest
  •  
#19
09-26-2008, 10:26 AM

[eluser]HdotNET[/eluser]
Incidentally.... y'all might be interested in this:

[link]
http://googlewebmastercentral.blogspot.c...forms.html
[/link]
  • El Forum
    Guest
  •  
#20
09-26-2008, 10:56 AM

[eluser]Yash[/eluser]
Just a tip use link as remove these *
[*url="http://someurl.com*]some[*/url*]

lemme check this link




Theme © iAndrew 2016 - Forum software by © MyBB